How to prevent duplicate alerts from Security Analytics Detector

Plugins Security Analytics
1

Hello,

I have a problem with my Security Analytics Detector configuration.

My Goal: I want to detect a specific command (input: 'rz') in new logs only.

My Setup:

  • I am using the Security Analytics plugin.

  • My Detector is scheduled to run every 1 minute.

The Problem: Every minute when the detector runs, it appears to re-scan all historical logs in my index. It’s not just checking the “latest” logs.

This causes the system to find the same old rz logs from hours (or days) ago and send me the exact same duplicate alert, every single minute.

My Question: How can I configure my Detector (or its Rule) to only check the newest logs (e.g., only data from the last 1-2 minutes) and stop it from scanning all of history?

I just want to be alerted for new events, not old ones repeatedly.

Thank you.

2

@plane636 I don’t think there is a way to add period in the SA alerts. For the use case you mentioned you should be using alerting module instead of security analytics, which runs using detection rules.

The alert can be configured in the following way:

First create the destination id:

POST _plugins/_notifications/configs
{
  "config": {
    "name": "slack_security_alerts",
    "description": "Security Analytics alerts to Slack",
    "config_type": "slack",
    "is_enabled": true,
    "slack": {
      "url": "https://hooks.slack.com/services/T06F0G89N84/B07E2ES9WLR/xzxb3o8EUvxGCAFZQ....."
    }
  }
}

Then using the destination ID create the alert. Note the timestamp range filter.

POST _plugins/_alerting/monitors
{
  "name": "Failed logins in last minute (security-auditlog)",
  "type": "monitor",
  "enabled": true,
  "schedule": {
    "period": {
      "interval": 1,
      "unit": "MINUTES"
    }
  },
  "inputs": [
    {
      "search": {
        "indices": [
          "security-auditlog-2025.11.26"
        ],
        "query": {
          "size": 0,
          "query": {
            "bool": {
              "filter": [
                {
                  "range": {
                    "@timestamp": {
                      "gte": "{{period_end}}||-1m",
                      "lte": "{{period_end}}",
                      "format": "epoch_millis"
                    }
                  }
                },
                {
                  "term": {
                    "audit_category.keyword": "FAILED_LOGIN"
                  }
                }
              ]
            }
          }
        }
      }
    }
  ],
  "triggers": [
    {
      "name": "Any failed login in last minute",
      "severity": "2",
      "condition": {
        "script": {
          "lang": "painless",
          "source": "return ctx.results[0].hits.total.value > 0;"
        }
      },
      "actions": [
        {
          "name": "Send to Slack – Security Alerts",
          "destination_id": "QmiMwZoBWMHgRWmXgI5A",
          "message_template": {
            "lang": "mustache",
            "source": "*FAILED_LOGIN detected in the last minute*\nCluster: {{ctx.monitor.name}}\nHits: {{ctx.results[0].hits.total.value}}\nPeriod end: {{ctx.periodEnd}}"
          },
          "throttle_enabled": false
        }
      ]
    }
  ]
}